Re: Problems with freeradius accounting proxy
Hi Fajar, On Tue, Feb 16, 2010 at 1:16 PM, Fajar A. Nugraha wrote: > On Tue, Feb 16, 2010 at 6:09 AM, Phil Pierotti > wrote: > > > Tue Feb 16 09:40:25 2010 : Proxy: Marking home server 192.168.147.2 port > > 1813 as zombie (it looks like it is dead). > > There should be other things before that > > Yes, I agree, there *should* have been something more than that. I pored over the log, carefully, for a good while. Everything "looked normal" (get a request, process it, proxy it, get reply, send it back, lather/rinse/repeat). Nothing at all looking even slightly like "something is wrong", until that message in the log. > > Sending Accounting-Request of id 228 to 192.168.147.2 port 1813 > > User-Name := "--...@-" > > Acct-Status-Type := Stop > > Acct-Session-Id := "" > > Event-Timestamp := "Feb 16 2010 09:40:25 EST" > > NAS-Identifier := "Status Check. Are you alive?" > > Tue Feb 16 09:40:25 2010 : Debug: Waking up in 0.7 seconds. > > rad_recv: Accounting-Response packet from host 192.168.147.2 port 1813, > > id=228, length=20 > > Tue Feb 16 09:40:25 2010 : Proxy: Received response to status check 34 (1 > in > > current sequence) > > Like that one. That particular status check was completed immediately. > How were other status check responses, do they arrive on time? How > "on time" is subjective, but every status-check I saw came back within the same second. the log has no finer granularity. I would not be surprised if this is a case of "happy" replies are instant, but anything with a problem is lagging. status-check is a known-good condition (at least the user/pass) so it always succeeds, and is always fast. > about actual accounting request, do they get a timely response? It is > It could easily be that the downstream server is lagging in responsiveness , given that it's a db backend. Best-case is snappy, worst-case is abysmal is not at all surprising with a db. But the question is how long before "timely" runs out? One second, ten seconds, half-a-second? Where (other than reading every single line of a debug log for an entire day) can I find how happy (or not) freeradius is about a server it is proxying to? This is a live radius proxy for a small ISP, not just a console auth-server, so we're seeing anything up to ten requests per second - not lots-n-lots, but also not practical to eyeball the entire thing in realtime. Spot-checks are fine, but if nothing broke while you were checking then it's "tree falls in a forest" time. Thanks, Phil P - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with freeradius accounting proxy
Since you've deleted 99% of the debug log, I can't tell. Since you > don't know what to look for in the logs, you can't tell, either. > Yes, I have no idea what to look for. If I did, I'd have been looking for it, rather than asking the list. Not withstanding your replies, I *still* am no closer to knowing *what* to look for. (which is odd, because that was my original question) So , ignoring the previous discussion, I'll ask specific questions. (anyone please fee free to chip in) Exactly how does freeradius identify a downstream radius as 'dead' ? Clearly that's not as trivial as "no replies are received" because there clearly are replies being received; tcpdump shows replies coming back (ie the network stack sees acct-reply packets coming back from the downstream server), the log shows replies coming back (so freeradius sees them too). Is a server declared 'dead' because one single request did not get a reply? More than one? More than two? Should I keep counting? Is there any way to find out how many 'missed' replies a downstream server has? Is there any way to tell freeradius to log in the debug messages *when* it has given up and decided "ok, we've obviously missed that request". (because there's no messages showing that with -X -xx) Thanks, Phil P - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with freeradius accounting proxy
On Tue, Feb 16, 2010 at 3:37 PM, Phil Pierotti wrote: >> about actual accounting request, do they get a timely response? It is > > It could easily be that the downstream server is lagging in responsiveness , > given that it's a db backend. > Best-case is snappy, worst-case is abysmal is not at all surprising with a > db. > > But the question is how long before "timely" runs out? One second, ten > seconds, half-a-second? try /etc/raddb/proxy.conf # # If the home server doesn't respond to the request within # this time, this server will consider the request dead, and # respond to the NAS with an Access-Reject. # # If NO responses are received to any requests sent within this # time period, the home server will be marked "zombie", as below. # # Useful range of values: 5 to 60 response_window = 20 > > Where (other than reading every single line of a debug log for an entire > day) can I find how happy (or not) freeradius is about a server it is > proxying to? This is a live radius proxy for a small ISP, not just a console > auth-server, so we're seeing anything up to ten requests per second - not > lots-n-lots, but also not practical to eyeball the entire thing in realtime. > Spot-checks are fine, but if nothing broke while you were checking then it's > "tree falls in a forest" time. Do you enable logging? /var/log/radius/radius.log is a good place to start. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with freeradius accounting proxy
Phil Pierotti wrote: > Yes, I have no idea what to look for. If I did, I'd have been looking > for it, rather than asking the list. Maybe my messages haven't been clear enough. The people on this list know what to look for. But if you insist on giving *no* information for us to work with... we can't look. It's a puzzle, really. Q: I have a problem, can you help me? A: here are some steps you can take to debug it Q: Why the heck would I do that? A: Because you want to solve the problem? Q: Why are you being so mean to me? A: > Not withstanding your replies, I *still* am no closer to knowing *what* > to look for. (which is odd, because that was my original question) My original response stands: post the debug log, and let *us* look. You seem to have a problem with doing that. > Exactly how does freeradius identify a downstream radius as 'dead' ? It doesn't respond *correctly* to packets. > Clearly that's not as trivial as "no replies are received" because there > clearly are replies being received; tcpdump shows replies coming back > (ie the network stack sees acct-reply packets coming back from the > downstream server), the log shows replies coming back (so freeradius > sees them too). Can you explain why you're stuck on tcpdump? It's nearly irrelevant to the process. There are a *lot* of additional steps necessary for the packet to be deemed a "correct" response. And no, those steps aren't relevant for you. If the packet fails an additional step, the debug log will show it. Since you don't know what to look for, you could very likely miss it in the debug log. Hence.. the request for you to post the debug log so that *we* can read it. > Is a server declared 'dead' because one single request did not get a reply? > > More than one? > > More than two? > > Should I keep counting? How about reading the documentation in proxy.conf? This *is* documented. > Is there any way to find out how many 'missed' replies a downstream > server has? Read raddb/sites-available/status. This *is* documented. > Is there any way to tell freeradius to log in the debug messages *when* > it has given up and decided "ok, we've obviously missed that request". > (because there's no messages showing that with -X -xx) It does that already. If you're not seeing it, it's likely because you have home servers in a fail-over pool, and they are sporadically down. The proxy tries to fail over from one server to another. Since the packet is still "live", it's not considered to be "missed". Either post the debug log for us to look at, or stop pretending that you want the problem solved. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple checks items for the same attribute
Hi Forgive me if this topic has been covered before, for all my searching i could not find a solution. I want to be able to check multiple values for the same check attribute (nas ipaddress || nas port). I have tried the ":=, +=" way, but i'm guessing, since it didn't work that this only works for reply attributes. If anyone can point me in a general direction it would most appreciated. Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error coovachilli , freeradius, yfi hotspot manager
On Tue, Feb 16, 2010 at 12:17 PM, taufiq rahman wrote: > i just development coovachilli 1.0.14, with freeradius 2.1.8 and frontend > with yfi-beta2 > and i debug the coovachilli >> redir.c: 1023: 98 (Address already in use) IP: 10.1.0.1 Port: 3990 - >> Waiting for retry. Start with that. That usually means chilli hasn't been properly configured yet. > and this debugging of free radius >> Listening on authentication address * port 1812 >> Listening on accounting address * port 1813 >> Listening on proxy addiress * port 1814 >> Ready to process requests. If it stops there then no request has reached freeradius yet. So it's not FR problem. You can try contacting whoever wrote the tutorial for help. Until you actually get the request to FR, there's not much people on this list can do to help you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple checks items for the same attribute
On Tue, Feb 16, 2010 at 5:24 PM, Sicly undecided
wrote:
> I want to be able to check multiple values for the same check
> attribute (nas ipaddress || nas port). I have tried the ":=, +=" way,
> but i'm guessing, since it didn't work that this only works for reply
> attributes.
>
> If anyone can point me in a general direction it would most appreciated.
So you're saying you want access allowed if one of the multiple check
attribute matches?
There's no quick-and-standard way that I know of to achieve that.
You'll probably be able to hack sql module with custom queries and
schema. For example, I had a requirement where a username will be
allowed access :
- from any Calling-Station-Id (for certain users), OR
- from a list of Calling-Station-Ids, where they comprimise of numbers
only (phone numbers, to be exact) for most users.
Plus I need to enable/disable a user easily, and limit user vailidity
only up to a certain time.
The authorize query became this complicated beast:
authorize_check_query = "SELECT
`id`,`UserName`,`Attribute`,`Value`,`op` FROM `${authcheck_table}`
WHERE `UserName` IN ( SELECT `UserName` FROM `${authrestrict_table}`
WHERE `Username` = '%{SQL-User-Name}' AND `Status`='enable' AND
`EXPIRE` > now() ) AND `UserName` IN ( SELECT `UserName` FROM
`${authclinumber_table}` WHERE `Username` = '%{SQL-User-Name}' AND
`clinumber` IN ('ANY', convert('%{Calling-Station-Id}', SIGNED)) )"
The ${authclinumber_table} that I use to list Calling-Station-Ids goes like this
+---+--+--+-+-++
| Field | Type | Null | Key | Default | Extra |
+---+--+--+-+-++
| id| int(20) unsigned | NO | PRI | NULL| auto_increment |
| UserName | varchar(64) | NO | MUL | ||
| clinumber | varchar(16) | NO | MUL | ANY ||
+---+--+--+-+-++
where there can be many UserName-clinumber pairs for each user and
phone number combination, and a clinumber of "ANY" if I want to allow
access from any phone number.
While ${authrestrict_table} that I use to control user vailidity goes like this
+--+---+--+-+-++
| Field| Type | Null | Key | Default
| Extra |
+--+---+--+-+-++
| id | int(20) unsigned | NO | PRI | NULL
| auto_increment |
| UserName | varchar(64) | NO | UNI |
||
| Status | enum('enable','disable') | NO | | enable
||
| Expire | datetime | NO | |
-00-00 00:00:00 ||
+--+---+--+-+-++
As you can see it becomes complicated, and again I say this is a hack
(which requires some knowledge of nested SQL query), but should give
you a basic idea of what you need to do.
You could probably also use unlang and sql expansion, but I haven't
had time to look into it for this purpose.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple checks items for the same attribute
Sicly undecided wrote: > Forgive me if this topic has been covered before, for all my searching > i could not find a solution. $ man unlang > I want to be able to check multiple values for the same check > attribute (nas ipaddress || nas port). I have tried the ":=, +=" way, > but i'm guessing, since it didn't work that this only works for reply > attributes. In... the "users" file? SQL? Where? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple checks items for the same attribute
> In... the "users" file? SQL? Where? Sorry I forgot to mention... SQL On Tue, Feb 16, 2010 at 1:17 PM, Alan DeKok wrote: > Sicly undecided wrote: >> Forgive me if this topic has been covered before, for all my searching >> i could not find a solution. > > $ man unlang > >> I want to be able to check multiple values for the same check >> attribute (nas ipaddress || nas port). I have tried the ":=, +=" way, >> but i'm guessing, since it didn't work that this only works for reply >> attributes. > > In... the "users" file? SQL? Where? > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
no response to Access-Challenge
Hi, Sorry for the rookie question but I'd like to know what I can make of the following: I have just one wireless device, an access point and a freeradius server. When the supplicant tries to connect I can see the following messages in FR over and over: rad_recv: Access-Request packet from... ... Sending Access-Challenge of id 46 to 10.215.146.130 port 2048 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x2bd535b12bd72c983ec1de5e3f93e675 Finished request 18. Going to the next request Waking up in 4.9 seconds. Cleaning up request 18 ID 46 with timestamp +771 Ready to process requests. There are quite a few Access-Request/Access-Challenge pairs (it goes on for about a minute or two) until the supplicant finally succeeds to connect with TLS handshakes and so on (WPA2+AES+EAP-TLS). What can be causing this delay? It's as if the "conversation were out of sync" or as if one side weren't "listening". Could it be AP, the client supplicant, the wlan driver? If I were to use a packet sniffer like wireshark, what "filter" could I apply and what should I look for? Ideas are welcome. Thanks Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple checks items for the same attribute
Thanks Fajar... didn't see your response there at first. Wasn't expecting to find an easy way to do this. That looks like exact what i need. Thank you both again On Tue, Feb 16, 2010 at 2:38 PM, Sicly undecided wrote: >> In... the "users" file? SQL? Where? > > Sorry I forgot to mention... SQL > > > > > > On Tue, Feb 16, 2010 at 1:17 PM, Alan DeKok wrote: >> Sicly undecided wrote: >>> Forgive me if this topic has been covered before, for all my searching >>> i could not find a solution. >> >> $ man unlang >> >>> I want to be able to check multiple values for the same check >>> attribute (nas ipaddress || nas port). I have tried the ":=, +=" way, >>> but i'm guessing, since it didn't work that this only works for reply >>> attributes. >> >> In... the "users" file? SQL? Where? >> >> Alan DeKok. >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no response to Access-Challenge
Vieri wrote: > Sending Access-Challenge of id 46 to 10.215.146.130 port 2048 > EAP-Message = 0x010200061920 > Message-Authenticator = 0x > State = 0x2bd535b12bd72c983ec1de5e3f93e675 > Finished request 18. > Going to the next request > Waking up in 4.9 seconds. > Cleaning up request 18 ID 46 with timestamp +771 > Ready to process requests. Read the FAQ and raddb/eap.conf. Look for "Access-Challenge" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius for linux authentication
Thank you Fajar.
I added additional argument to the lib pam radius like "realm=192.168.100.10"
and this realm is appended to the
user like u...@192.168.100.10. This solved my problem.
Regards,
Sri.
On Thu, Feb 11, 2010 at 5:20 PM, wrote:
> Now the problem is how to identify a user like root have same name on
> multiple machines.
> For this I observed that this PAM library is sending
> Calling-Station-Id in Access-Request packets.
> I did modify my radcheck table to have entires as following:
> ++---++++
> | id | UserName | Attribute | op | Value |
> ++---++++
> | 1 | linuxuser | Password | == | radpwd |
> | 12 | root | Calling-Station-Id | == | 192.168.100.61 |
> | 11 | root | Password | == | 10radpwd |
> | 10 | root | Password | == | 61radpwd |
> | 13 | root | Calling-Station-Id | == | 192.168.70.10 |
> +--
>
> But the failed to authenticate.
That won't work. You're NOT supposed to have different password for
the same user name.
When using a centralized authentication (radius, LDAP, Active
Directory, whatever), a user will use the same password regardless of
other attributes (like Calling-Station-Id).
That being said, freeradius is highly customizable. You could, for
example, use unlang to modify the username to became
"r...@192.168.100.10". See
http://lists.freeradius.org/pipermail/freeradius-users/2010-January/msg00389.html
and
http://lists.freeradius.org/pipermail/freeradius-users/2010-January/msg00468.html
for example. It does the reverse of what you're trying to do, but you
can look at the example to see how you could modify the value of
User-Name in request attribute.
Another approach would be to use a custom user table (adding another
column, CallingStationId), plus modify queries in dialup.conf so it
says "WHERE username = '%{SQL-User-Name}' AND
CallingStationId='%{Calling-Station-Id}'" instead of just "WHERE
username = '%{SQL-User-Name}' ". Your table would then look something
like this
++---++++-+
| id | UserName | Attribute | op | Value |
CallingStationId |
++---++++-+
| 11 | root | Password | == | 10radpwd | 192.168.100.10 |
| 10 | root | Password | == | 61radpwd | 192.168.100.61 |
but with this method you need to define ALL calling-station-id and
their corresponding passwords. I consider this a hack though. You
should avoid this unless you ABSOLUTELY know what you're doing, as
you're unlikely to get help from others if you experience problems due
to this "hack".
--
Fajar
-Original Message-
From: sr...@aol.in
To: freeradius-users@lists.freeradius.org
Sent: Thu, 11 Feb 2010 3:50 pm
Subject: radius for linux authentication
Hi List,
I have configured my linux devices to use freeRadius (freeRadius 1.1.5 with
MySQL backend) authentication.
Installation of pam library went well and am able to get authenticated against
my freeRadius server.
Now the problem is how to identify a user like root have same name on multiple
machines. For this I observed that this PAM library is sending
Calling-Station-Id in Access-Request packets.
I did modify my radcheck table to have entires as following:
++---++++
| id | UserName | Attribute | op | Value |
++---++++
| 1 | linuxuser | Password | == | radpwd |
| 12 | root | Calling-Station-Id | == | 192.168.100.61 |
| 11 | root | Password | == | 10radpwd |
| 10 | root | Password | == | 61radpwd |
| 13 | root | Calling-Station-Id | == | 192.168.70.10 |
+--
But the failed to authenticate.
Please suggest what could be the problem, ASAP.
Also, are there any other ways to handle this kind of situation.
Appreciate your help.
Regards,
Sri.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd not responding to radtest
Hi, > Thanks this was fixed by commenting out the ::1 entry in /etc/hosts as > we don't intend to run IPv6 on the box if you dont intend fo run IPv6 on that server then I'd suggest to turn it off - otherwise you may have no ::1 in /etc/hosts but your IPv6 stack is running and ALL daemons etc that can do IPv6 *will* do IPv6 - that'd include FreeRADIUS if its set to use DNS names and they lookup nicely to IPv6 addresses - eg the UK National JRS proxies. heres some help http://www.cyberciti.biz/tips/linux-how-to-disable-the-ipv6-protocol.html alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd not responding to radtest
Hi,
> rad_recv: Access-Request packet from host 127.0.0.1 port 46723, id=155,
> length=56
> User-Name = "test"
> User-Password = "test"
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 0
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "test", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
this means the user 'test' was not found - in either the passwd file,
the users file ('files' module default location) and it wasnt an EAP message
to the EAP module did nothing.
if you add
test Cleartext-Password := "test"
to the users file and restart, you'll have success...this is a very basic test
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd not responding to radtest
Hi Alan, Thanks for the help we have turned IPv6 off Thanks Colin Hi, Thanks this was fixed by commenting out the ::1 entry in /etc/hosts as we don't intend to run IPv6 on the box if you dont intend fo run IPv6 on that server then I'd suggest to turn it off - otherwise you may have no ::1 in /etc/hosts but your IPv6 stack is running and ALL daemons etc that can do IPv6 *will* do IPv6 - that'd include FreeRADIUS if its set to use DNS names and they lookup nicely to IPv6 addresses - eg the UK National JRS proxies. heres some help http://www.cyberciti.biz/tips/linux-how-to-disable-the-ipv6-protocol.html alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- Colin Byelong Email: c.byel...@ucl.ac.uk Senior Network Development Officer Network Group Information Systems Division University College London Gower Street Phone: 020 7679-2572 London WC1E 6BT - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd not responding to radtest
Hi Alan,
I figured out that I would need to add a test user in the users file,
thanks for looking at it though.
We are still testing in the lab, we hope to use this to replace our
existing Orps thats running radiator, so we are trying to configure a
server that will use EAP-TTLS with a PAP inner that talks to a LDAP
backend for ucl.ac.uk users and sends everything else to the NRPS, I
expect i'll be sending another post soon.
Thanks
Colin
Hi,
rad_recv: Access-Request packet from host 127.0.0.1 port 46723, id=155,
length=56
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
this means the user 'test' was not found - in either the passwd file,
the users file ('files' module default location) and it wasnt an EAP message
to the EAP module did nothing.
if you add
test Cleartext-Password := "test"
to the users file and restart, you'll have success...this is a very basic test
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
---
Colin Byelong Email: c.byel...@ucl.ac.uk
Senior Network Development Officer
Network Group
Information Systems Division
University College London
Gower Street Phone: 020 7679-2572
London WC1E 6BT
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
update session database in Authorization
Hello,
When 2 users with same username try to login to the server at the same
time; Radius server receives Auth and Acct packets in the following order:
1- Auth from user1
2- Auth from user2
3- Acct from user1
4- Acct from user2
Since the session database is not populated until a user sends an accounting
packet (using radutmp or sql modules)
How can we prevent multiple login in this situation? shall we think in
adding a record to the session database in authorization section?
I am using freeradius-2.1.6
configurations
=
authorize {
preprocess
chap
suffix
files
sql
pap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
# radutmp
sql
}
session {
# radutmp
sql
}
Thanks,
Houssam
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: update session database in Authorization
On Wed, Feb 17, 2010 at 12:19 AM, Houssam Melhem wrote: > How can we prevent multiple login in this situation? shall we think in > adding a record to the session database in authorization section? In normal situation, acct-capable NAS send acct-start immediately after it receives access-accept, so there should be no need for you to do that manually. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Matching Airespace-Wlan-Id in users files or radgroupcheck database
I'm trying to get FreeRadius working with a Cisco WLC. I would like to match on Airespace-Wlan-Id to permit access to certain SSIDs. I can't seem to deny access using this attribute. Is there a trick to this? Thanks, -adam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
which module causes this?
Hello, Very often, I can say at least 50% of the time I get: Auth: Login incorrect: [1d15057j6p4/\270\310\344\024\n\265E!-\233M\2766\276:] (from client private-network-2 port 1 cli) The username: 1d15057j6p4 is correct, but as you can see the password is not transmitted correctly, although im very sure I typed it right. Any suggestions? Thank you, k - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: which module causes this?
You might verify the shared secret in the clients.conf and the private-network-2 device. Kledi Andoni wrote: Hello, Very often, I can say at least 50% of the time I get: Auth: Login incorrect: [1d15057j6p4/\270\310\344\024\n\265E!-\233M\2766\276:] (from client private-network-2 port 1 cli) The username: 1d15057j6p4 is correct, but as you can see the password is not transmitted correctly, although im very sure I typed it right. Any suggestions? Thank you, k - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: update session database in Authorization
Hello, You are right, I have this problem with Pheenet Access point and Nomadix AG, for cisco NAS I have no problem If I need to fix this issue what is the recommended solution to fix this issue? If I modify the authorize section to save sessions does it break Radius Protocol ? I am thinking in patching rlm_sql, what do you think? Thanks, Houssam On Wed, Feb 17, 2010 at 12:19 AM, Fajar A. Nugraha wrote: > On Wed, Feb 17, 2010 at 12:19 AM, Houssam Melhem > wrote: > > How can we prevent multiple login in this situation? shall we think in > > adding a record to the session database in authorization section? > > In normal situation, acct-capable NAS send acct-start immediately > after it receives access-accept, so there should be no need for you to > do that manually. > > -- > Fajar > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: update session database in Authorization
On Wed, Feb 17, 2010 at 7:16 AM, Houssam Melhem wrote: > Hello, > You are right, I have this problem with Pheenet Access point and Nomadix AG, > for cisco NAS I have no problem > If I need to fix this issue what is the recommended solution to fix this > issue? Well, I'd say you need to find root cause of problem first. Do they not send acct-start at all? Do they send it late? It's possible that they don't support acct at all (wireless AP used for 802.1x usually only use auth), so you'll have a hard time (if even possible) to limit simultaneus connections. > If I modify the authorize section to save sessions does it break Radius > Protocol ? It wouldn't be REAL accounting session. It'd be just some data you put there based on the information available during auth. You won't have enough information (like AcctSessionId) to create a real accounting entry. > I am thinking in patching rlm_sql, what do you think? You can just use post-auth section, no need to patch the source code. See the example for "Authentication Logging Queries". -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to access config parameters for rlm_perl
Hi,
I want to set up some config parameters for use in my perl module. I
think these are supposed to be in the RAD_CONFIG hash. But this hash
always seems to be empty.
Any ideas? Maybe I have I have my config parameters defined in the wrong
place?
Cheers,
David Donn
My site file:
accounting {
example
}
My rlm_perl config file (from /etc/raddb/modules):
perl example {
module = ${confdir}/example.pl
foo = bar
}
My perl code (example.pl):
use strict;
# use ...
# This is very important ! Without this script will not get the filled
hashesh from main.
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK %RAD_CONFIG);
use constantRLM_MODULE_OK=>2;# /* the module is OK,
continue */
use constant LOG_ERROR => 4;
sub accounting {
# doesn't print anything, expected it to print "module =
/etc/raddb/example.pl" and "foo = bar"
foreach my $k (keys %RAD_CONFIG) {
&radiusd::radlog(LOG_ERROR, "Config $k = $RAD_CONFIG{$k}");
}
return RLM_MODULE_OK;
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: which module causes this?
Kledi Andoni wrote: > Hello, > > Very often, I can say at least 50% of the time I get: > > Auth: Login incorrect: [1d15057j6p4/\270\310\344\024\n\265E!-\233M\2766\276:] > (from client private-network-2 port 1 cli) > The username: 1d15057j6p4 is correct, but as you can see the password is not > transmitted correctly, although im very sure I typed it right. > > Any suggestions? If you run it in debugging mode, you will see a large message suggesting that you check the shared secret. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to access config parameters for rlm_perl
David Donn wrote:
> I want to set up some config parameters for use in my perl module. I
> think these are supposed to be in the RAD_CONFIG hash. But this hash
> always seems to be empty.
That hash is per-request configuration. i.e. authentication type, etc.
> My rlm_perl config file (from /etc/raddb/modules):
> perl example {
>
> module = ${confdir}/example.pl
>
> foo = bar
>
> }
>
> My perl code (example.pl):
> use strict;
...
> # doesn't print anything, expected it to print "module =
> /etc/raddb/example.pl" and "foo = bar"
> foreach my $k (keys %RAD_CONFIG) {
You cannot access the configuration files from rlm_perl.
Try describing a problem rather than a solution. Maybe there's
another solution that works.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Matching Airespace-Wlan-Id in users files or radgroupcheck database
Adam Wien wrote: > I'm trying to get FreeRadius working with a Cisco WLC. > > I would like to match on Airespace-Wlan-Id to permit access to certain SSIDs. > > I can't seem to deny access using this attribute. "I tried stuff and it didn't work". > Is there a trick to this? Describe what you did (text copied from the configuration files), and what happened (text copied from debug output) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
